"Unfortunately, this information was provided before it was discovered that the request was made from a fraudulent account," Meachem wrote in an internal staff letter obtained by FOX 46.

It does not appear the staff who turned over the sensitive tax documents ever questioned or validated the request. The W-2 forms contain Social Security numbers, addresses and private financial information.

"The damage that could be done with that...someone could build a profile from these people really quick," said cyber expert Tom Jelneck. "Their identity could obviously be stolen and sold on the dark web so yeah that's a really big mistake."

Jelneck says this mistake shows a lack of security training.

"When you have those employee Social Security numbers....that should be guarded beyond anything," said Jelneck. "So I think that's not only a common sense issue, that's a corporate security training issue."

CHA officials discovered the breach on Friday Jan. 19. but waited until Monday to inform staff. A former employee says he just found out on Jan. 26.

Several employees coming in and out had "no comment" when asked about the hack.

The incident comes nearly two months after a Mecklenburg County employee clicked on a phishing e-mail, which resulted in hackers freezing servers and demanding a ransom

In light of this latest breach, CHA officials say they will implement new safeguards.

"We are strengthening our internal controls and all employees will now go through cyber training and personal information protection training," said Porter, in a statement, "regardless of their level of contact with or access to sensitive information."

Porter declined to be interviewed.

The IRS, Attorney General's Office, and the FBI's Internet Crime Complaint Center have been notified. Charlotte city officials were unaware until FOX 46 told them.

CHA will provide credit monitoring and identity theft protection to all employees for the next two years, Meachem announced in his letter to staff.

However, since Social Security numbers never change, employees could remain at risk for identity theft indefinitely.